EU privacy reform: who pays when the rules are broken?

BRUSSELS New European Union data protection rules expected to be agreed on Monday will allow citizens to sue companies that own data as well as those that process it on their behalf, for example cloud computing providers.

The new system is opposed by companies such as Germany's SAP SE, International Business Machines Corp, Cisco Systems Inc and Amazon.com Inc who say it will kill off Europe's cloud computing industry, as well as introduce uncertainty in business to business relations.

EU officials say the issue has been the subject of fierce lobbying from companies, who warn it could hamper the creation of a unified market in digital services, a key plank of the European Commission's agenda to boost economic growth in the 28-nation EU.

Under the current, 20-year-old system, cloud providers - companies offering remote storing and processing of data on servers - would classify as "processors" since they do not collect the data themselves. That means they are not held liable for using the data illegally unless they breach the contract with the company for whom they are processing - the data "controller."

EU ministers will seek to reach an agreement on the data protection reform at a meeting in Luxembourg on Monday, after which final negotiations with the European Parliament will start.

"One key issue is who pays if rules (are) broken," said an EU diplomat.

Companies argue that the current system works well and makes it easier for consumers by giving them a single point of contact. For example, if a bank breaks data protection laws, it would make more sense for the person affected to sue the bank, rather than the companies to which it outsources its human resources functions.

"It is important that consumers and businesses understand who ultimately is responsible for processing their data," said Liam Benham, Vice President of Government and Regulatory Affairs at IBM. "Now the EU's draft Data Protection Regulation risks blurring these lines of responsibility, setting the stage for lengthy and costly legal disputes, which will be perplexing for consumers and businesses alike."

Part of the reason for spreading responsibility across several players is that data is often collected by one company, stored by another and processed by a third.

Additionally, many cloud providers are large companies such as SAP, Cisco and Amazon. The Commission feared cloud companies would be able to impose unfair terms on small businesses who would then bear the brunt of the responsibility if something went wrong.

"If an SME finds it hard to find a processor that doesn't want to comply with European contract terms, there is plenty of choice," said Rene Summer, spokesman for the Coalition of European Organizations on Data Protection, which includes SAP, Nokia Oyj and Ericsson.

(Reporting by Julia Fioretti. Editing by Andre Grenon)

Next In Technology News

LONDON Web-based digital currency bitcoin hit its highest levels in almost three years on Friday, extending gains since India sparked a cash shortage by removing high-denomination bank notes from circulation a month ago.

Japanese electronic parts maker TDK Corp is in talks to acquire InvenSense Inc, a U.S. chip maker that produces motion sensors for Apple Inc and Samsung Electronics Co, people familiar with the matter said on Friday.

WASHINGTON The White House said on Thursday that it raised concerns about China's new cyber security law during a meeting with a Chinese official after the latest round of talks between the two countries on cyber crime.

Reuters is the news and media division of Thomson Reuters. Thomson Reuters is the world's largest international multimedia news agency, providing investing news, world news, business news, technology news, headline news, small business news, news alerts, personal finance, stock market, and mutual funds information available on Reuters.com, video, mobile, and interactive television platforms. Learn more about Thomson Reuters products: